Jan 23 2024 Last Week in Security (LWiS) - 2024-01-23

News

• MiraclePtr: protecting users from use-after-free vulnerabilities on more platforms. The Chrome team has taken steps to protect against user-after-free vulnerabilities, and it's paying off (at the price of 1-3% worse performance)!
• Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Why could a non-production test tenant access senior leadership email? Interesting that these actors were looking for information about themselves. Very nation-statey.

Techniques and Write-ups

• Calling Home, Get Your Callbacks Through RBI - If you're a fan of cloudflare. This is a good read. Circumvent Remote Browser Isolation (RBI) technology during offensive assessments.
• Ransomware Deployment Attempts Via TeamViewer - Traitorware is back at it again!
• Level Up Your Reporting - Fundamental concepts of writing a good offensive security report. Except you should never use pixelation to redact data!
• Stealing your email with a .txt file - Haven't seen a lot of enterprise wide use of roundcube but still a cool bug being exploited.
• Web3's Achilles' Heel: A Supply Chain Attack on Astar Network - Another episode of self-hosted runner exploitation. The researcher is banned from a bug bountry platform after hacking all the things... "The vulnerability allowed anyone who could fix a typo in the astarNetwork/astar repository to modify the release binaries for their validator nodes and wasm runtimes." He modified a 2 week old release with a single print statement, a release that would not be pulled by anyone following the docs to set up a validator. Seems like a reasonable PoC to me. 🤷
• Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining - We hope to see these more and more in the future. Technical write-ups of what threat actors are doing in the cloud can help shape our adversary simulation strategy.
• Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes - Another outlook vuln fresh off the press. Windows just really, really, wants to authenticate with NTLMv2.
• The Second Wednesday Of The First Month Of Every Quarter: Juniper 0day Revisited. I am no longer surprised by insecure security appliances.
• Do not trust this Group Policy!. Some interesting GPO based LPEs that won't be fixed (for now).
• Insomni'hack 2024 CTF Teaser - Cache Cache. Normally I don't post CTF write ups, but this is a unique, Windows challenge based on a real vulnerability class (and a well done write up by the challenge author).

Tools and Exploits

• Cobalt-Strike-Profiles-for-EDR-Evasion - Some ideas to modify CS profiles to bypass simple EDR checks. However, if you want to use SourcePoint I'm not sure I would trust the copy in this random repository...
• GraphStrike - Cobalt Strike HTTPS beaconing over Microsoft Graph API implemented as a user defined reflective loader (URDL). Appreciate the Why? section on this one. Better hope those Blue team network sensors have really good anomaly detection, because this will use legitimate microsoft domains for C2. However, now you have Microsoft's threat team to deal with, and there has been some discussion that they will ban accounts that conduct C2 over their API if they detect it.
• hi_my_name_is_keyboard. Zero click Bluetooth exploits for Android prior to the 2023-12-05 security patch (and Android <= 10 forever). Nice close access method to get payloads on an Android phone (assuming the target won't notice their screen acting up on its own). It also works against macOS and iOS (iOS < 17.2, Magic Keyboard Firmware < 2.0.6) if you can trigger it exactly when the computer/phone attempts to connect with an Apple Magic keyboard via Bluetooth.
• slippy-book-exploit - CVE-2023-44451, CVE-2023-52076: RCE Vulnerability affected popular Linux Distros including Mint, Kali, Parrot, Manjaro etc. EPUB File Parsing Directory Traversal Remote Code Execution.
• atril_cbt-inject-exploit - CVE-2023-44452, CVE-2023-51698: CBT File Parsing Argument Injection that affected Popular Linux Distros.
• Awaiting the Awaitables - Building the AwaitFuscator. I doubt this is practical for programs of any complexity, but it's got to be one of the most bizarre obfuscators since the movfuscator. Code here.
• proxy-helper-the-sequel - Port/rework of proxy-helper plugin for hak5 Pineapples.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• How to protect Evilginx using Cloudflare and HTML Obfuscation - Some solid OPSEC tips on protecting your RTA infrastructure.
• Realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability. This was in the LWiS 2023-10-24, but the ShmooCon talk is what bubbled it back up for me and made me really look into it. The docs look great and I plan to play with this one very soon.
• GHunt - Recently got an update (OAuth based instead of cookies). Check it out!
• ADCSync - Use ESC1 to perform a makeshift DCSync and dump hashes.
• RemoteRegSave - A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.